We live In an era where digital transactions and online interactions are deeply ingrained in our everyday lives, both on a personal and business level. Organizations today collect and store vast amounts of sensitive customer information, such as personal details, financial data and transaction history. While commerce-driven businesses seek to leverage the data they collect to enhance customer experiences and improve operations, the private information of individuals and businesses is an incredibly valuable asset to cybercriminals who seek to exploit vulnerabilities and leverage stolen data for profit and illegal activities.
As the data of millions of people a day runs through commercetools’ systems, our customers trust us to protect their privacy and confidentiality. This responsibility falls on Denis Werner, Co-Founder and Chief Operating Officer of commercetools. In addition to being a commerce technology expert and an excellent volleyball player, Denis is a master of data security. Protecting the privacy and confidentiality of our customer's data, keeping up with the ever-evolving cybersecurity landscape and maintaining legal compliance is his superpower. Here, in honor of Cybersecurity Awareness Month, Denis explains why data security has become an increasingly relevant topic today, provides insights on how businesses can mitigate risk, plus offers best practices to help you protect your customers and your business from cyberattacks.
Q: Why has data security become so important to commerce-driven businesses?
A: First, we should clarify that the overall topic here is Information Security. Data security is an extension of information security — when businesses process personal data from their consumer. Nevertheless, the protection goals are the same: Availability, integrity and confidentiality.
For commerce-driven businesses, the security of the data they collect is vital and has become a cornerstone of modern business practices. They have a responsibility to protect (sensitive) information, comply with regulations, meet customer expectations, defend against cyber threats, manage supply chain risks and ensure the continuity of operations. Though the technical and organizational measures businesses employ may vary, the consequences of neglecting data security can be severe.
A few of the key reasons businesses have ramped up efforts in the data security department in recent years include:
Legal and Regulatory Compliance
Numerous data protection laws and regulations have been established globally, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States. Businesses that fail to comply with these regulations can face significant fines and legal consequences.
As technology advances, so do the capabilities of cybercriminals. The threat landscape is constantly evolving and the attacks are becoming increasingly sophisticated. A business's best defense is to have robust data security measures and monitoring in place to defend against these threats.
A data breach or cyberattack can disrupt business operations, leading to downtime which ultimately leads to lost revenue. Data security measures, such as backup systems and disaster recovery plans, are essential for maintaining business continuity.
Reputation and Customer Expectation Management
A data breach can result in significant reputational damage that is often difficult to repair. Customers may take their business elsewhere, and the negative publicity can have long-lasting effects.
Q: What are the key challenges businesses face in ensuring robust data security in the digital commerce space?
A: Ensuring robust data security in the digital commerce space and managing third-party risk is a complex and ongoing challenge due to the ever-evolving threat landscape and the unique characteristics of online commerce. Businesses should manage some of the key challenges they face in this regard including:
Implement Measures against Sophisticated Cyberthreats
Businesses in the digital commerce space are often targeted by highly sophisticated cyberattacks, such as ransomware, phishing and distributed denial of service (DDoS) attacks. These threats continually evolve, making it challenging to stay always one step ahead.
eCommerce businesses need to scale their operations rapidly to meet increased demand during peak periods or as they expand. Ensuring that the security measures they use can scale effectively at the same time is a challenge.
Incident Response Plans
Preparing for and responding to data breaches and security incidents is crucial. Businesses need well-defined and tested incident response plans to minimize damage in case of a security breach.
To address these challenges, eCommerce businesses should implement a comprehensive cybersecurity strategy that includes regular security assessments, employee training, security policies and the use of advanced security tools and technologies.
Q: What role does commerce technology play in supporting the security of customer data? Does it play a role in preventing fraud as well?
A: From my perspective commerce technology, such as your eCommerce platform, plays a critical role in supporting the security of customer data in several ways:
Secure Payment Processing
Commerce technology often includes payment gateways that securely handle financial transactions. They should use encryption and tokenization to protect customer payment data, ensuring that sensitive information is not exposed during the transaction process.
These technologies employ encryption to protect data at rest and in transit. Customer data is encrypted when stored on servers and during transmission, making it extremely difficult for unauthorized parties to access or intercept.
Commerce technology enforces strict access controls. Only authorized personnel have access to sensitive customer data, reducing the risk of data breaches caused by insider threats or unauthorized access.
Monitoring and Alerts
These technologies should implement monitoring and alerting services to detect and respond to security incidents in real time. This includes anomaly detection and threat intelligence to identify and mitigate potential threats promptly.
Compliance with Regulations
Best-in-class commerce technology should be designed as a data processor to adhere to relevant data protection regulations, such as the General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standard (PCI DSS), ensuring that customer data can be handled in compliance with the law.
By offering these features and best practices, commerce technology helps businesses create a secure environment for customer data, ensuring that information is protected from breaches and unauthorized access. However, businesses should also play an active role in implementing these security measures and educating their teams to minimize risk, maintain the security of customer data and prevent fraud as well.
Q: How can a business balance the need to protect data and comply with privacy laws while also delivering the personalized experiences customers demand today?
A: Balancing the need to protect data and comply with privacy laws while delivering personalized customer experiences is a complex but essential task for businesses in today's digital age. I would highlight two strategies businesses should consider to achieve this balance:
Establish clear data governance policies and practices within your organization. Ensure that all employees understand their roles and responsibilities in data protection.
Invest in Technology
Leverage technology solutions, such as advanced analytics or AI tools, to deliver personalized experiences without compromising data security or privacy.
By following these strategies, businesses can demonstrate their commitment to data protection and compliance with privacy laws while still providing the personalized experiences that customers desire. Achieving this balance requires ongoing vigilance, adaptability and a customer-centric approach to data handling and personalization.
Q: From your perspective, what are the most effective strategies and best practices business leaders can take to safeguard customer data?
A: Safeguarding customer data should be a top priority for all types of organizations. Here are my top three strategies and best practices business leaders can implement to protect customer data:
Employee Training and Awareness
Educate all employees about data security best practices and the importance of safeguarding customer data, which implies conducting regular training and awareness programs.
Implementing strong encryption techniques to protect data at rest and in transit. This includes encrypting data stored on databases and using secure communication channels (e.g., HTTPS) as well as a reliable key management system.
Access Controls and Strong Authentication
Businesses should enforce strict access controls to ensure that only authorized personnel have access to customer data. At least they need to implement role-based access control to limit permissions according to job roles. On top of that businesses should enforce strong authentication methods, such as multi-factor authentication (MFA) to access data and accounts.
Safeguarding customer data is an ongoing process that requires vigilance, adaptability and a commitment to a strong security culture within the organization. It's crucial to prioritize data protection to maintain customer trust and protect the reputation of the business.
Co-Founder and COO, commercetools
Q: How do you think advancements in technology, such as AI and machine learning, can be leveraged to enhance data security?
A: From my point of view, development in technology, particularly in the fields of artificial intelligence (AI) and machine learning (ML), offers significant opportunities to enhance data security. There are several ways in which these technologies can be leveraged to expand data security initiatives. While AI offers the potential for enhancing data security, it is essential to keep in mind that these technologies are not without challenges. They require well-trained models, larger datasets and ongoing monitoring to ensure effectiveness.
Additionally, they should only be used in conjunction with established security practices, personnel oversight and a comprehensive cybersecurity strategy to maximize their benefits. In this way, it’s possible AI technology could improve log analysis, alert correlation and threat detection capabilities — enhancing your Security Information and Event Management (SIEM) systems by proactively mitigating risks before they materialize.
Q: Can you share any examples of commercetools’ customers that have effectively prioritized data security in their digital commerce operations?
A: From what I can see every single customer of commercetools is including data security in their (daily) digital commerce operations. Prioritizing data security is not only a matter of compliance or risk management but also a crucial factor in building and maintaining a successful eCommerce business. Trust is fundamental to creating the level of loyalty that supports businesses in the long term. Having effective data security measures in place provides the reassurance that their information is safe, and you can’t put a price on that.
Q: How does commercetools view data security? What role do we play in supporting the security efforts of our customers?
A: As a true multi-tenant, cloud-native solution with a high dependency on delivering reliable and available information processing for our customers, information security is an integral part of our corporate strategy and culture. In order to fulfill our obligations, an industry-based standard Information Security Management System (ISMS) has been implemented, which regulates the handling of information throughout our organization and is centrally coordinated by a team of specialized colleagues. In order to build trust in our ISMS, we regularly conduct external Information security certifications like ISO270001 or SOC2, to highlight just two of them.
Last but not least, we play a crucial role in supporting the security efforts of our customers in various ways. We continually engage with customers in discussions to ensure they have a comprehensive understanding of our tools and services, providing them with best practices that help them enhance their own specific services and features.
Q: In honor of Cybersecurity Awareness Month, what’s the best thing a company can do to enhance its cybersecurity efforts?
A: Enhancing cybersecurity is an ongoing process, and there are many actions a company can take to strengthen its security posture. While it is challenging to pinpoint a single "best" thing to do, here is one crucial step that can significantly enhance a company's cybersecurity efforts, especially in honor of Cybersecurity Awareness Month. Educate your Employees!
Individual employees are particularly vulnerable to cyberattacks like social engineering or phishing — and thus these are the biggest threats to a business. The most effective way to enhance cybersecurity is to invest in ongoing education and awareness for your employees. In many cases, security breaches occur due to human error or lack of awareness. A well-informed and security-aware workforce can serve as the first line of defense against cyber threats. It's a proactive step that helps reduce the risk of security incidents and data breaches.
To learn more about the framework of governance, risk management and compliance monitoring commercetools has established to provide robust data security that supports the long-term success of our customers, download our white paper Information Security.